[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-puppet-devel] Wheezy update of puppet?

Hi pabs,

On 18:30 Wed 24 May     , Paul Wise wrote:
> On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote:
> 
> > In Python/Perl YAML libraries there are ways to safely load YAML
> > files, does Ruby not have the same possibilities?
> 
> After a bit of searching, I wonder if copying the ruby-safe-yaml
> package from wheezy-backports to wheezy and then patching puppet to
> use that might be a good solution.

Just a couple of notes here:

 - Wheezy's Puppet is running under Ruby 1.8, which uses the old Syck
   YAML library. Ruby 1.9.3 and onwards uses Psych, which indeed 
   provides a safe_load method. In short, YAML engine is something to be 
   aware of.

 - YAML safe loading depends on deserializing only known-safe types. We 
   need to make sure that this will not break the application. In theory 
   it shouldn't, as the facts in 2.x are plain strings.

Cheers,
Apollon
Reply to: